Understanding plugin security
JetBrains IDEs allow users to enhance functionality through plugins. While plugins unlock powerful customization, installing them introduces potential security risks. We want to outline what you need to know about plugin security so you can use JetBrains IDEs safely and with confidence.
How plugins work: full access architecture
Plugins in JetBrains IDEs run as part of the IDE and have the same access rights as the IDE itself. This means that plugins can:
Read, modify, or delete any files and data that the IDE user can access.
Connect to the internet or a local network without additional user prompts or restrictions.
Execute code, interact with the operating system, and integrate deeply with the IDE’s core features.
When you install a plugin, you are granting it a high level of trust, similar to installing any application on your computer. The IDE does not restrict plugins using fine-grained permissions, nor does it isolate (sandbox) them.
Plugin moderation
Every plugin published on JetBrains Marketplace is subject to a moderation process, which includes:
Initial automatic checks: As soon as a plugin archive is submitted for upload, real-time checks evaluate the uploaded files. Plugins may be automatically rejected or flagged if files fail to meet specified criteria, like invalid parameters, incorrect archive structure, dependency issues, or suspicious activities. We are also working on introducing additional automated security checks for plugin uploads in the future.
Review: All new plugins and updates are reviewed by the JetBrains Marketplace team to ensure compliance with our guidelines. This includes manual checks, Plugin Verifier execution, and user interface (UI) integration tests.
Post-approval review: If a plugin is later found to violate policies or cause harm, it may be unpublished or removed from JetBrains Marketplace.
Actions with problematic plugins
If you see any unexpected plugin actions like network requests, access to files, or anything else:
Disable and/or uninstall:
Go to Settings/Preferences | Plugins | Installed, locate the plugin, and disable or uninstall it. Restart the IDE to fully remove its code and prevent it from running.
Review your environment:
Since plugins can modify files or IDE settings, some changes may remain even after removal. Uninstalling a plugin does not guarantee that all its effects are undone.
Report the plugin:
Click Report Plugin on the plugin’s page to notify the JetBrains Marketplace team.
We investigate such reports with great care and take appropriate action based on our findings.
Plugin installation considerations
While JetBrains Marketplace moderates plugins, users should still make informed choices.
Before installing a plugin, you may consider:
Download numbers and user reviews: High download numbers and positive reviews can indicate reliability, though they are not a firm guarantee of safety.
Frequency of updates: Regular updates typically indicate that plugin developers are actively maintaining and improving their plugins.
Vendor transparency: Many trusted vendors provide open documentation, a bug tracker, or a support email address, as these are essential for reporting issues and requesting help.
The vendor’s status: The presence of a Verified Vendor badge indicates that JetBrains has confirmed the identity of the plugin vendor as a legitimate individual or registered business. While it doesn’t guarantee plugin quality, it adds a level of trust by confirming that the vendor is authentic and accountable.
Continuous security improvements
The JetBrains team is dedicated to embedding security into all aspects of our development tools and plugin ecosystem. We are continuously working on security enhancements to deliver trusted plugins to our community.
Enterprise users
Organizations seeking centralized control over plugin use may refer to IDE Provisioner (part of JetBrains IDE Services) for enterprise solutions related to plugin management.